I know that a DNS update can take 72 hours in some cases but we've checked and it's propagated fully by now.

Actually adding a new CNAME RR to an existing zone is instantaneous. There's no propagation delay.

I do see that marketo.armor.com is pointed to mkto-sjl0027.com. When you say you're getting a "site can't be reached" (not "the redirect URL is empty") I wonder if this is because you have an internal DNS server that has its own copy of the armor.com zone, and that internal side hasn't been updated by IT. Have you tested from outside your corporate network (including VPN clients)?

Eh no. You have to open a support case and provide your SSL cert to Marketo, then they install the cert. For a fresh SSL install, this can actually take them some time (like weeks) but I'm assuming you already have SSL on your Marketo LP domain, so it should be fast/faster.

That's a much easier fix then the answer I got from support. I have to say that the way support worded it in the reply, it sounded as though HTTPS wasn't supported at all for branded domains. Thank you for clarifying Sanford.

I'll reach back out to support and get them working on adding our SSL certificate which we do have on our LP domain.

My IT Security team will be glad to hear that's the fix instead of allowing HTTP.

Yes it did, and I've been meaning to write the follow up conclusion to this post and now might be helpful for you all.

The issue began for us when google chrome started enforcing HTTPS for any domain connected with the top level HSTS set. In our case because our top level domain Armor.com has HTTPS, chrome and several other browsers automatically change any HTTP addresses to HTTPS. so HTTP://marketo.armor.com/XXXXXX became HTTPS://marketo.armor.com/XXXXXX in Chrome, Firefox and others (Safari is one of the only browsers we tested which does not enforce HTTPS based on top level domain HSTS)

If you were on the default mkto-XXXXX.com tracking domain, you might never notice the change, (as this domain doesn't utilize SSL or HSTS) however, if you use a branded tracking link with a CNAME redirect, and YourDomain.com uses HTTPS, your branded tracking subdomain Example.YourDomain.com will not work in Chrome, Firefox, and most browsers. (It should be noted that there is NO roll-back to the default tracking link)

The solution is: Contact your Marketo rep, tell them you need a secure email tracking server running a SSL certificate and the branded tracking domain you have chosen, example: marketo.armor.com pointed to your Marketo email tracking link (found in the admin panel and under email)

It will take a few days to spin up the new server and get the SSL cert. installed but it will fix the issue.

One of our frustrations was first level Marketo support told me they can't do SSL certs. on email tracking servers. As Sanford Whiteman correctly points out above, this IS possible and a common practice for security minded users. We have SSL on both our landing page server and email server.

Until they can get you the SSL secured email server up, one option we used was to disable tracking on email links. (this bypasses the tracking domain) You will lose tracking on email links but the links will function. It's not ideal, but it will get you by until the new SSL secured email tracking server can be up and running.

This was a tricky issue for us to solve and it took our Dev Ops. team, Marketo Support and some excellent Community feedback to solve it. I hope this will help you get it resolved fast and give you an option in the interim.

Please feel free to reach out to me with any questions and I'll be happy to help or provide further details.

Thank you for your very thorough reply! This was extremely helpful for you to document and it validates the issue we've been having the last 4 months. We are actually already in the process of installing our SSL cert on our email tracking domain and already have it installed on our landing pages. It was quite a frustrating process to isolate the issue and even come to terms on a solution to fix it with Marketo Support. There was conflicting information provided from their team on whether the SSL cert would actually work, so hearing this confirmation from you makes me so happy!

As an interim solution, we've disabled the marketo link tracking in our emails so recipients can access our links with no error messages. The negative impact is we're unable to track click link activity but it's the best case scenario until the SSL cert is installed.

I'm looking forward to no longer having email recipients reach out letting us know the email links aren't working.

I can't imagine how frustrated you must be after 4 months! I ran into much of the same conflicting information and leaned heavily on our internal security operation team and the input here on the community to find the solution. Even then, it took some time to solve the issue.

"As an interim solution, we've disabled the Marketo link tracking in our emails so recipients can access our links with no error messages. The negative impact is we're unable to track click link activity but it's the best case scenario until the SSL cert is installed."

We did the same and lost analytics on links for a time, but as you say it was better than sending broken links out.

Let me know when your new server is spun up and all is back up and functioning. We're 3 months into the new server and no issues.